Yeqifu Warehouse Improper Access Control Vulnerability in Customer Management Endpoint

A vulnerability exists in Yeqifu Warehouse versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4, specifically within the Customer Endpoint. The issue arises in the CustomerController.java file, affecting the addCustomer, updateCustomer, and deleteCustomer functions. This vulnerability allows logged-in users to manipulate core business data by adding, updating, or deleting customer information without proper authorization. As a result, it could lead to unauthorized changes, fraudulent records, and potential disruptions in business operations. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized access control, enabling logged-in users to alter or delete customer, provider, and goods data. This could result in significant integrity loss, creation of fraudulent records, and disruption of normal business operations.

Reproduction

To reproduce this vulnerability, log into the application and send a request to the customer management endpoints (addCustomer, updateCustomer, or deleteCustomer) without the necessary permissions. The absence of access control will allow the operation to be performed successfully, demonstrating the vulnerability.

Remediation

It is recommended to implement proper role-based access controls for the affected endpoints, ensuring that only authorized users can perform add, update, or delete actions. Validation of ownership should be included where applicable.